CVE-2025-55173

EPSS 0.1%
Veröffentlicht 29.08.2025 22:00:05
Zuletzt bearbeitet 08.09.2025 16:42:57
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vercel ≫ Next.Js SwPlatformnode.js Version < 14.2.31

Vercel ≫ Next.Js SwPlatformnode.js Version >= 15.0.0 < 15.4.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.276

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v

Vendor Advisory

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

Patch

https://vercel.com/changelog/cve-2025-55173

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-55173

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-55173

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-55173

EUVD